Privacy Policy
Tinct SAS · Last updated June 2026
This Privacy Policy explains how Tinct SAS (“Tinct”, “we”, “us”) processes personal data in connection with the Tinct platform, a B2B account-based marketing (ABM) landing-page personalisation service. It is written to comply with Regulation (EU) 2016/679 (the “GDPR”) and the French Data Protection Act (Loi Informatique et Libertés).
1. Who we are
Data controller | Tinct SAS (société par actions simplifiée) |
|---|---|
Registered office | 5 Rue Pleyel, Bureau 3, 93200 Saint-Denis, France |
Registration | SIREN 101 730 018 — RCS Bobigny |
Data protection contact | |
Data Protection Officer | Not formally appointed — our processing does not meet the Article 37 GDPR criteria for a mandatory DPO. Data protection questions are handled at the address above. |
2. Our two roles
Depending on the data, Tinct acts in one of two capacities under the GDPR:
As a data controller — for personal data relating to our own platform users (account, organisation, billing, security and support data). This Policy governs that processing.
As a data processor — for the website-visitor analytics data we process on behalf of our customers when our technology runs on their websites. In that case the customer is the controller, and the processing is governed by our Data Processing Agreement. If you are a visitor to a website using Tinct and wish to exercise your rights, please contact the operator of that website; we will assist them as required under Article 28 GDPR.
3. What data we collect, why, and our legal basis
As a controller, we process the following categories of personal data:
Purpose | Data | Legal basis (GDPR) |
|---|---|---|
Account creation, authentication & profile | Email, password (bcrypt hash), first/last name, profile image (optional), phone (optional), Google / LinkedIn / Microsoft OAuth IDs (optional), language & notification preferences | Art. 6(1)(b) — performance of a contract |
Organisation & team management | Email, name, role (Admin/Editor/Viewer), invitation status, inviter identity, join date | Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interest (enabling teams) |
Billing & invoicing | Billing name, email, address, phone (optional), subscription status. Card data is handled directly by Stripe and never stored by Tinct. | Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation (accounting) |
Security, fraud prevention & audit | IP address, last-activity date, access/security logs | Art. 6(1)(f) — legitimate interest (securing the service) |
AI campaign-configuration assistant | Free-text chat messages (which may incidentally contain personal references) | Art. 6(1)(b) — contract |
Service communications | Email address (for transactional emails: verification, password reset, invitations, notifications) | Art. 6(1)(b) — contract |
Product & AI improvement | Aggregated, anonymised usage and Client Data | Art. 6(1)(f) - legitimate interest; opt-out available per Terms Art. 4.2. |
We do not process special categories of personal data (Article 9 GDPR), and we do not carry out automated decision-making that produces legal or similarly significant effects on you (Article 22 GDPR).
4. Website-visitor analytics (where we act as processor)
When our technology runs on a customer’s website, it identifies the visiting company via reverse IP lookup in order to serve personalised content; it does not identify, track or profile individual natural persons. Our snippet can run in two configurations:
Basic — a session identifier stored only for the duration of the visit (cleared when the browser tab closes). No persistent identifier; no consent required where the CNIL audience-measurement exemption conditions are met.
Advanced — a persistent cookie that recognises returning visitors. This requires the visitor’s prior consent under the ePrivacy Directive before the cookie is set.
The customer operating the website is the data controller for this processing and is responsible for the lawful basis, consent and transparency toward its visitors. The Tinct cookie is set on the customer's own website (not on tinct.ai) and is disclosed in that website's cookie notice; this processing is governed by our Data Processing Agreement.
5. Who we share your data with
We share personal data only with vetted service providers (sub-processors) who process it on our behalf under written agreements with GDPR-compliant safeguards, and with authorities where required by law. We never sell your personal data.
The complete, up-to-date list of our sub-processors — including their role, location and transfer mechanism — is published at tinct.ai/static/sub-processors.
6. International data transfers
Our primary infrastructure is hosted within the European Union (AWS, eu-west-1, Ireland). Where a sub-processor processes data outside the European Economic Area, we rely on appropriate safeguards under Chapter V GDPR — primarily the European Commission’s Standard Contractual Clauses (SCCs), and, for several US providers (such as Stripe, Google and Microsoft), additional certification under the EU–US Data Privacy Framework.
7. How long we keep your data
Data | Retention |
|---|---|
Account & profile data | Duration of the account + 30 days (scheduled deletion) |
Organisation membership data | Duration of membership + 30 days |
Billing & invoicing records | Duration of the contract + 10 years (French Commercial Code, Art. L123-22) |
Security / access logs (CloudWatch) | 90 days |
AI conversation history | Duration of the account |
Verification codes / OTP | Until used or expired (short-lived) |
Persistent analytics cookie (Advanced mode) | 13 months; associated data max 25 months (CNIL guidance) |
8. Your rights
Under the GDPR you have the right to: access your data; rectify inaccurate data; erase your data; restrict processing; data portability (in a structured, machine-readable format); object to processing based on legitimate interest; and, where processing is based on consent, withdraw that consent at any time without affecting prior processing.
Most of these can be exercised directly in your account settings. Otherwise, contact contact@tinct.ai; we respond within one month. You also have the right to lodge a complaint with your local supervisory authority — in France, the CNIL (cnil.fr).
9. Security
We implement technical and organisational measures appropriate to the risk, in accordance with Article 32 GDPR, including: encryption at rest (AES-256) and in transit (TLS 1.2+); databases isolated in private networks with no public access; role-based access control and secrets management; multi-factor and OTP verification for sensitive operations; rate limiting and bot protection; continuous monitoring and logging; and a documented data-breach response procedure (notification to the CNIL within 72 hours where required). Tinct is also pursuing ISO 27001 certification.
10. Cookies
Our website and platform use cookies and similar technologies. For details and to manage your preferences, see our Cookie Policy.
11. Changes to this policy
We may update this Policy from time to time. The current version is always published on this page with its “last updated” date; we will notify users of material changes by email where appropriate.
12. Contact
Questions about your data or this Policy? Email contact@tinct.ai or write to Tinct SAS, 5 Rue Pleyel, Bureau 3, 93200 Saint-Denis, France.
